2.3.5.3 (L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)

Information

This setting determines whether the LDAP server (Domain Controller) enforces validation of Channel Binding Tokens (CBT) received in LDAP bind requests that are sent over SSL/TLS (i.e. LDAPS).

The recommended state for this setting is: Always

Note: All LDAP clients must have the

CVC-2017-8563

security update to be compatible with Domain Controllers that have this setting enabled. More information on this setting is available at:

MSKB 4520412: 2020 LDAP channel binding and LDAP signing requirements for Windows

Requiring Channel Binding Tokens (CBT) can prevent an attacker who is able to capture users' authentication credentials (e.g. OAuth tokens, session identifiers, etc.) from reusing those credentials in another TLS session. This also helps to increase protection against 'man-in-the-middle' attacks using LDAP authentication over SSL/TLS (LDAPS).

Solution

To establish the recommended configuration via GP, set the following UI path to Always :

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements

Note: This Group Policy path requires the installation of the March 2020 (or later) Windows security update. With that update, Microsoft added this setting to the built-in OS security template.

Impact:

All LDAP clients must provide channel binding information over SSL/TLS (i.e. LDAPS). The LDAP server (Domain Controller) rejects authentication requests from clients that do not do so. Clients must have the

CVC-2017-8563

security update to support this feature, and may have compatibility issues with this setting without the security update. This may also mean that LDAP authentication requests over SSL/TLS that previously worked may stop working until the security update is installed.

When first deploying this setting, you may initially want to only set it to the alternate setting of When supported (instead of Always ) on all Domain Controllers. This alternate, interim setting enables support for LDAP client channel binding but does not

require

it. Then set one DC that is not currently being targeted by LDAP clients to Always and test each of the critical LDAP clients against that DC (and remediating as necessary), before deploying Always to the rest of the DCs.

We also recommend using the new Event ID 3039 on your Domain Controllers (added with the March 2020 security update) to help locate clients that do not use Channel Binding Tokens (CBT) in their LDAPS connections. This new Event ID requires increasing the logging level of the 16 LDAP Interface Events portion of the NTDS service diagnostics to a value of 2 (Basic). For more information, please see

Table 2: CBT events

at this link:

MSKB 4520412: 2020 LDAP channel binding and LDAP signing requirements for Windows

Older OSes such as Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 (non-R2), will first require patches for

Microsoft Security Advisory 973811

, as well as all associated fixes, in order to be compatible with domain controllers that have this setting deployed.

Note: Only Always is actually considered compliant to the CIS benchmark.

See Also

https://workbench.cisecurity.org/benchmarks/17096

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|16.5

Plugin: Windows

Control ID: 24f878a00cd4fd5c795a2e6e84e0e0d234dc51941c0a3ebc37314f3f6cd21a25